← Back to Docs
Recipe

Recipe: Strong Customer Authentication (PSD2)

Implement PSD2-compliant SCA flows with Meridian's hardware-bound device fingerprint and possession attestation.

Overview

PSD2 requires Strong Customer Authentication combining at least two of: knowledge (something the user knows), possession (something the user has), and inherence (something the user is). Meridian provides the possession factor via TPM-backed device binding and the inherence factor via hardware fingerprint continuity.

Architecture

1User initiates payment → backend requests SCA challenge
2Meridian SDK generates possession proof (TPM EK signature)
3Fingerprint continuity check confirms same device
4Backend validates attestation → authorizes transaction

Integration

// 1. Request SCA challenge from your backend
const challenge = await fetch("/api/sca/challenge", {
  method: "POST",
  body: JSON.stringify({ transactionId }),
});

// 2. Generate possession proof via Meridian
const proof = await meridian.attest({
  challenge: challenge.nonce,
  binding: "tpm-ek",
});

// 3. Submit proof to complete SCA
await fetch("/api/sca/verify", {
  method: "POST",
  body: JSON.stringify({ transactionId, proof }),
});

Compliance Notes

  • Possession factor satisfies EBA RTS Article 6(2) via TPM-bound key
  • Inherence factor uses device fingerprint continuity per Article 6(3)
  • Dynamic linking binds authentication code to transaction amount and payee
  • Exemptions supported: low-value, trusted beneficiary whitelist, corporate

Need help with PSD2 compliance? Contact our team for implementation guidance.